Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint

We address the problem of polynomial time factoring RSA moduli N 1 = p 1 q 1 with the help of an oracle. As opposed to other approaches that require an oracle that explicitly outputs bits of p 1 , we use an oracle that gives only implicit information about p 1 . Namely, our oracle outputs a different N 2 = p 2 q 2 such that p 1 and p 2 share the t least significant bits. Surprisingly, this implicit information is already sufficient to efficiently factor N 1 , N 2 provided that t is large enough. We then generalize this approach to more than one oracle query.

[1]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[2]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[3]  Claude Crépeau,et al.  Simple Backdoors for RSA Key Generation , 2003, CT-RSA.

[4]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[5]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[6]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[7]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[8]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[9]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[10]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[11]  Carl D. Meyer,et al.  Matrix Analysis and Applied Linear Algebra , 2000 .

[12]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[13]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[14]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[15]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[16]  Johannes Blömer,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[17]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[18]  Scott A. Vanstone,et al.  Short RSA keys and their generation , 2004, Journal of Cryptology.

[19]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[20]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[21]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[22]  Ueli Maurer,et al.  Factoring with an Oracle , 1992, EUROCRYPT.

[23]  László Csirmaz,et al.  The Size of a Share Must Be Large , 1994, Journal of Cryptology.

[24]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[25]  Bettina Helfrich,et al.  An Algorithm to Construct Minkowski-Reduced Lattice-Bases , 1985, STACS.

[26]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[27]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[28]  H. Minkowski,et al.  Geometrie der Zahlen , 1896 .

[29]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[30]  Ron Steinfeld,et al.  An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits , 2001, CT-RSA.

[31]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[32]  Moti Yung,et al.  The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems , 1997, CRYPTO.